Six months ago I posted an outline for encrypting your system with LUKS. Well, I figure it’s about time for me to write up how to actually go about it. In this post, I’ll outline the necessary kernel configuration.

The basic kernel configuration that I mentioned a long time ago still holds. Basically, you need to have the following options built into your kernel: CONFIG_DM_CRYPT, CONFIG_CRYPTO_CBC, CONFIG_CRYPTO_SHA256, and CONFIG_CRYPTO_AES. Most of those will be turned on when you enable:

Device Drivers ->
  Multiple devices driver support (RAID and LVM) ->
    Device mapper support ->
      Crypt target support

However, the SHA256 support will not be. It can be found at:

Cryptographic API ->
  SHA224 and SHA256 digest algorithm

On the note of kernel configuation: for this process, you will need to do a fair amount of work from within another linux environment (most likely a LiveCD). For Gentoo, the most recent CD image I’ve found that has all the necessary configuration is the 2006.1 version… As I recall, some of the intermediate minimal CDs, at least, didn’t possess cryptsetup at all. And the most recent weekly build I tried, while it did have lvm and cryptsetup installed, didn’t have CONFIG_CRYPTO_SHA256 either built in, or as a module.

Probably the best bet is an Ubuntu 8.10 Alternative CD. You’ll have to either boot in recovery mode, or go through a bit of the installation procedure, as it doesn’t initially have cryptsetup available. But, once it’s detected the CD and loaded the modules from it, you can just switch to another virtual console and do things from there.

Next time, I’ll outline creating the disk partitions.